1 Reply Latest reply on Sep 25, 2017 3:47 PM by bmoore

    Block Known Malicious Non-PE Files on End Point

    bmoore

      I have TIE and DXL working in my environment and can set the reputation for an executable file to KNOWN MALICIOUS in TIE and it is correctly detected and quarantined on an end point that has the Adaptive Threat Protection client installed. However, I cannot get it to work with a non-PE file, like a PDF or MS Office document. I have these file types selected in the TIE Server settings, but they don't appear to work.

       

      I found KB88099 from Jan 2017, which states at the bottom:

       

      "Only Point Products that support the listed file types can benefit from the TIE Server configuration. As of the publishing of this article, the TIE Module for VSE 1.x, TIE ENS 10.2, and ATP ENS 10.5 do not support scanning of non-PE file types."

       

      I have tried the latest Adaptive Threat Protection client and it still doesn't work. I am still on TIE 2.0 and the next thing to try is upgrading TIE, but I have been unable to find any documentation that confirms that this is even possible with the endpoint technologies. Has anyone actually been able to detect and stop PDF or Office files on an endpoint based on the TIE reputation? I am starting to think that this isn't currently possible.

       

      Thanks.

        • 1. Re: Block Known Malicious Non-PE Files on End Point
          bmoore

          Just to let the group know, I heard back from our McAfee SE and apparently it is not currently possible to do what I am trying to do with the existing endpoint products (TIE and ATP). Today, only executable (PE) files can be blocked on the endpoint using a TIE reputation. They are currently working on developing the ability to control other file types, but I am not sure when it will be available.